NIST Post-Quantum Cryptography Standardization: Round 3
Read time: 7 minutes
What is the PQC standardization project?
Determining the most quantum-safe algorithms
Many times in the past, the NIST has done projects like the PQC standardization project where a number of algorithms are submitted to the project to see if they meet the criteria the best to be considered the standard for that type of cryptography. At the time of writing this, the NIST has just completed its 3rd round of selection for cryptographic algorithms. The finalists and alternative options are as follows:
- Key-Establishment Mechanism (KEM) Algorithms: Kyber, NTRU, SABER, and Classic McEliece
- Digital Signature Algorithms: Dilithium, Falcon, and Rainbow
- Alternative KEM Algorithms: BIKE, FrodoKEM, HQC, NTRUprime, and SIKE
- Alternative Digital Signature Algorithms: GeMSS, PICNIC, and SPHINCS+
Once the current round ends, one or two of the KEM algorithms and one or two of the Digital Signature algorithms will be selected as a quantum-resistant algorithms strong enough for standardization across the cyber security landscape. After completing the third round, NIST mathematicians and researchers will continue to look at other algorithms and newly emerging algorithms to see if they are powerful enough to be considered a part of the standardized group of quantum-resistant algorithms.
How can Organizations Prepare for the Future?
Although the NIST has not yet released its list of recommended quantum-resistant cryptography algorithms, organizations can begin preparing themselves for quantum computers now. The following are a few different ways organizations can prepare for the future:
- Quantum Risk Assessment
Performing a quantum risk assessment for your organization will give the security teams within your organization a good idea of where gaps exist in relation to quantum computing. A quantum risk assessment also helps create a list of applications that will be affected by the creation of quantum computers, thus providing the organization with a detailed list of applications that must be updated when moving to quantum-resistant algorithms. This will also help with the next step, identifying at-risk data.
- Identify at-risk data
Identifying an organization’s data at-risk is extremely important, even just relating to cyber security in general. Having data classification and identification systems in place in an organization is vital to keep track of data and ensure it is properly protected.
- Use cryptographically agile solutions
The NIST has indicated that the use of crypto-agile solutions is a great way to begin the process of moving toward having quantum-safe security in place. Crypto-agility is the ability to switch between algorithms, primitives, and other encryption mechanisms without causing significant issues in the organization’s infrastructure.
- Develop an understanding of quantum computing and its risks
By training employees on what to look out for in the future of quantum computing, and methods of becoming quantum-resistant, they will have a mindset that is already prepared for the post-quantum age.
- Track the NIST’s PQC Standardization Project
By keeping track of the PQC Standardization Project, an organization can keep up to date on any changes to the quantum-resistant algorithms in the running and change to the selected algorithms when the time is right.